Algoritmo CAST

Rodrigo Boccasius

2/23

Agenda

IntroduçãoEspecificação do AlgoritmoCriptoanáliseAplicaçõesConsiderações FinaisReferências

3/23

Um breve histórico

CAST (Carlisle Adams and Stafford Tavares)

CAST é uma família de cifradoresCAST64CAST128 (ou CAST5)CAST256 (candidato ao AES)

4/23

Cifragem CAST

Algoritmo de cifragem inspirado no DESFeistel network-like structure (called a

substitution-permutation network)

5/23

CAST x DES (por William Stallings)

CAST uses fixed S-boxes, but ones that are considerably larger than those used in DES. These S-boxes were carefully designed to be nonlinear and resistant to cryptanalysis.

Another interesting feature of CAST-128 is that the round function, differs from round to round, again adding to cryptanalytic strength.

6/23

CAST x DES (por William Stallings)

The subkey-generation process used in CAST-128 is different from that employed in other conventional block encryption algorithms.

The CAST designers made the subkeys as resistant to known cryptanalytic attacks as possible and felt that the use of highly nonlinear S-boxes to generate the subkeys from the main key provided this strength.

7/23

Especificação do algoritmo - 128

ChavesPara chaves entre 40 e 80 bits (incrementos

de 8 em 8 bits), algoritmo usa 12 rodadas;Para chaves maior que 80, algoritmo usa 16

rodadas;Para chaves menores de 128 bits, há zero-

padding na chave;Mistura de operações adição módulo

2/ou exclusivo/adição módulo 232

8/23

2 rodadas do bloco de cifragem do CAST128

9/23

Características

Desejáveis:Strict Avalanche Criterion (alteração de 1 bit na

entrada altera 50% dos bits na saída)Bit Independence Criterion (inexistência de

ligação entre um bit da saída e um bit da entrada)Não é complementar Não possui chaves fracas ou semi-fracasDecriptação é a encriptação com inversão

na ordem das sub-chaves

10/23

Características

Indesejáveis: “CAST seems unlikely to be suitable for

implementation on these processors because it requires 4096 bytes of S-box ROM, which is unreasonably large.” (Performance Analysis of AES candidates on the 6805 CPU core)

11/23

Especificação do algoritmo - 256

CAST256Para a candidatura ao AES, foi necessário

aumentar tamanho do bloco de cifragem para 128 bits

Modificações na rede clássica de Feistel para uma rede “generalizada”

Chaves de 128, 192 ou 256 bits48 rodadas ou 12 quad-rodadas

12/23

13/23

Especificação do algoritmo - 256

Desvantagem potencial:Estruturas diferentes para encriptação e

decriptaçãoSolução encontrada:

Primeira metade dos deslocamentos para a direita, segunda metade para a esquerda

Desempenho da encriptação e da decriptação são iguais.

14/23

Criptoanálise

CAST64 related-key attack conhecido, mas impraticável.

(Related-Key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA)

CAST128 Resistente a criptoanálise linear e diferencial.

(Resistance of a CAST-Like Encryption Algorithm to Linear)

CAST256 Embora tenha características diferentes de difusão,

também é resistente (An Analysis of the CAST-256 Cipher)

15/23

Criptoanálise

"It is resistant to both linear and differential cryptanalysis. Currently, there is no known way of breaking CAST short of brute force. There are no known attacks on CAST with reduced rounds – it looks incredibly secure. CAST is now the default cipher in PGP." (PGP Diffie-Hellman vs. RSA FAQ: What is CAST?)

16/23

Aplicações

Diversas ferramentas comerciais de cifragem de dadosTrueCryptCryptoExpert 2004 Lite (CAST only)E4M Disk Encryption

PGP (Pretty Good Privacy)CAST128 é o algoritmo default

17/23

Considerações Finais

RFC 2144 define um teste de manutenção: Definição em pseudo-código Vetores ‘a’ e ‘b’ de 128 bits xL e xR metade mais a esquerda e a direita, respectivamente

Initial a = 01 23 45 67 12 34 56 78 23 45 67 89 34 56 78 9A (hex)Initial b = 01 23 45 67 12 34 56 78 23 45 67 89 34 56 78 9A (hex)

do 1,000,000 times{ aL = encrypt(aL,b) aR = encrypt(aR,b) bL = encrypt(bL,a) bR = encrypt(bR,a)}

Verify a == EE A9 D0 A2 49 FD 3B A6 B3 43 6F B8 9D 6D CA 92 (hex)Verify b == B2 C9 5E B0 0C 31 AD 71 80 AC 05 B8 E8 3D 69 6E (hex)

18/23

Considerações Finais

Ainda seguro, ainda em uso“The large s-boxes are implemented to

efficiently eliminate the permutations found in DES between rounds of substitutions and, as a result, CAST is very efficient algorithm for software implementation.”

19/23

Por que não usar apenas o AES?

Yes, I know, the Rijndael now is the best and generally used (AES) encryption algorithm. Other algorithms are less common and non-standard.

Using Rijndael with a 256-bit encryption key makes me sure that my data won't be broken and read by an unauthorized person in the next thousand of years or, more probably, next 1000000... years.

But, what if I don't need to hide my data from everybody forever? It is quite enough to maintain my encrypted data within the next 50-60 years or so.

It is almost improbable that one day somebody will be able to break a message encrypted with a key of 128 bits in length if the encryption algorithm is good.

20/23

Por que não usar apenas o AES?

So, it is the same for most of the applications whether you use an algorithm with 256-bit key or 128-bit key. Both are practically unbreakable. Why don't I like the strongest ciphers? There are two main reasons: the performance, and the usability.

CAST-128 is three times faster than a AES-256 cipher on the .NET 2.0 platform. Also, CAST-128 is two times faster than the reduced version of the Rijndael algorithm working with a 128-bit key (AES-128).

As for usability, I think it is easier to manipulate keys of 128 bits in length because they are more human readable.

21/23

Referências

Todas as referências foram acessadas em maio/2007

http://jya.com/cast.html

http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html#mode

http://citeseer.ist.psu.edu/lee97resistance.html

http://www.thefreecountry.com/security/encryption.shtml

http://www.faqs.org/rfcs/rfc2144.html

22/23

Referências

http://en.wikipedia.org/wiki/CAST-256

http://www.ipa.go.jp/security/rfc/RFC2144EN.html

http://www.mirrors.wiretapped.net/security/cryptography/algorithms/cast/ (Código Fonte)

http://www.netaction.org/encrypt/appendixb.html

http://www.kremlinencrypt.com/algorithms.htm

http://www.scramdisk.clara.net/pgpfaq.html#SubCAST

23/23

Referências

http://www.cryptopp.com/benchmarks.html http://en.wikipedia.org/wiki/Block_size_(cryptography) http://en.wikipedia.org/wiki/Block_cipher http://www.jetico.com/linux/bcrypt-help/c_gloss.htm http://www.codeproject.com/dotnet/CastEncryptor.asp http://community.roxen.com/developers/idocs/rfc/rfc2984.html http://www.commsdesign.com/main/9811/9811feat3.htm http://en.wikipedia.org/wiki/Avalanche_effect http://www.answers.com/topic/feistel-cipher http://www.ciphersbyritter.com/NEWS/95050101.HTM http://www.faqs.org/faqs/cryptography-faq/part07/ http://www.cescomm.co.nz/about/aes.html